That was the original code in NT4 ... but when they put Unicode in win
2000 they forgot about the 15 other ways you can get a "." including the
URL encoded versions ... %36 (or whatever the character code is) and
boom you have nice security hole that Code Red (and its 100 variants)
exploited :)
-----Original Message-----
From: Steve Williams [mailto:stevewilliams@kromestudios.com]
Sent: September 25, 2003 12:31 AM
To: dev@subversion.tigris.org
Subject: Re: ".svn" directory name no good (in fact, it is worse than I
thought)
hehehe...
if (strchr(pUrl, '.'))
return 404;
Can I get paid lots of money now?
Sly
> Just to shed a little more light on the issue. M$ in their "security"
> push has "fixed" IIS so that it cannot accept directory names with "."
> in them. Just try it. Create a folder in your wwwroot called
"test.test"
> (put a file in there) and try and get to it. You'll get a page not
found
> error. They got burned bad by all the "..\..\winnt\system32\cmd.exe"
> type hacks. VS.NET uses http to grab the files for web projects so
that
> remote and local web projects all work in the same way. What I'm
saying
> here is that M$ spent a lot of time and $$$ explicitly not allowing
> folders with "." in them so expecting them to do anything about it is
> completely out of the question.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 25 09:55:05 2003